sudo pfctl -s info 2&>/dev/null | awk '/Status/{print $2}'

the nicety/side effect of me just running code that wraps pfctl is I can also make sure what rules are in place and what order they're in, since I'm allowing end users to open additional ports at this point. I may want to parse ranges and audit those additional rules so it's not the worst thing in the world it isn't already built-in to osquery